Intrusion Detection Systems - what are they, really?

Martin May, Regional Director Africa Enterasys Networks unpacks the technologies that provide your business security from the core.

Intrusion Detection Systems (IDS) have been in the security market for quite some time now but few businesses truly understand what elements they are comprised of and how they can be implemented to suit specific requirements. IDS technologies and methodologies are used for one reason - they are your last chance to be notified of a potential break-in.

Once a company has invested a large amount of time, money and resources into setting up any one of the multitude of firewalls, VPNs, PKI, policies and so forth the IDS serves the single purpose of sitting back and watching over these elements to ensure they are holding up as they should. However, the reality of the current market is that many solutions are not correctly tailored to suit your specific business requirements.

IDS is functionally an `auditor`. It examines the network or system behaviours (through monitoring) and compares that to known `misuse` of those systems. Misuse is a broad term used to describe the various types of activities not desired, or part of the intention of the system (network or computer).

Misuse is commonly drawn into two camps namely Protocol and Signature. In reality, you write simple signatures to examine protocol use or misuse, this is why Protocol and Signature are often lumped together by certain marketers, but broken apart by others.

The detection technologies that are used to expose illicit activity on the network can be broken down into three distinct categories; pattern matching, protocol decoding and anomaly detection. It is almost computationally impossible to use 100% of all three methods as each one requires a significant amount of overhead and so there are usually few resources left to attempt a full installation of a second, much less a third form of detection methodology.

Current IDS solutions on the market use a combination of all three mechanisms and each of them has individual advantages and disadvantages. So while some vendors claim that their solution is more capable than another this claim is only partially true, as IDS methodologies can be combined or balanced with one another to deliver different types of solutions. The truth of the claim lies in whether or not these combinations suit your type of business.

With this in mind it`s important to have an understanding of what each of these elements do. Pattern matching is the technique of looking for patterns, usually at a more granular level than protocol analysis or anomaly detection. This methodology can be used to look for denial of service attacks that rely on sending corrupt packet headers. Protocol analysis uses more advanced calculations on each packet by looking at the packaging of traffic as opposed to the actual payload itself.

This technique verifies the headers to ensure that the packet contains what it says it does and ensures that specific types of encoding are not used. Finally there is anomaly detection that is broken down into two sub-categories - behaviour based anomaly detection and protocol based anomaly detection. This methodology focuses on the bigger picture and has different forms of implementation but a simple example would be that if packets don`t match the established state of the connection or are severely out of sequence then an alarm is triggered.

As we explained earlier, every IDS system on the market has to use a combination of all three methods due to computing limitations. The core engine of the solution will rely solely on one specific method with fractions of the other two included to supplement the detection capabilities of the core. The issue of core methodology used is important for two main reasons. Firstly the methodology used directly impacts the number of different types of events that the IDS will be able to detect and secondly, being able to detect a greater number of these events allows the IDS to deliver a more meaningful output that can be valuable to analysts or investigators.

For example, Enterasys Dragon has a core that relies heavily on advanced algorithms for pattern matching however it must also decode a number of protocols before they are sent to the pattern matching engine to detect certain encoding mechanisms. Dragon also uses a form of anomaly detection that looks for overflows in various protocol fields. These are not full implementations of either protocol analysis or anomaly detection but they are sufficient to successfully augment the core functionality of the Dragon.

While pattern matching is not the sexiest of solutions it is extremely relevant and is often the best solution for detecting attacks or compromises while giving the analyst substantial information about the situation.

In today`s market all Intrusion Prevention Systems (firewalls, VPNs etc) are based on IDS technology. The IDS was designed to take advantage of the luxury that passive analysis affords and is architected around the ability to be highly sensitive to anything that looks slightly suspicious. With a well-structured and tailored IDS solution you can be sensitive to as much or as little input as is needed to find and detect violations in a system`s security system.

However, one common mistake is that many businesses believe that the Intrusion Prevention System (IPS) could replace the IDS. An IPS is not an extension of an IDS, it`s more of a firewall and with only a singular IPS security solution your business would not be protected from the core leaving you vulnerable to attack.

IDS is not a difficult concept to understand but the marketing departments of the technology world have conspired to give it complicated titles thereby limiting the businesses ability to make an informed decision on their choice of solution. Most businesses have heard the terms, "multi-method detection", "stateful signature analysis", "backdoor traffic anomaly" and "heuristic detection" with each one claiming to be the latest breakthrough in hacker detection.

We can now see that each one is actually based on a singular core solution balanced out by partial inclusion of the other two. Now, with this information in hand you can work towards implementing a solution that is specifically designed to complement your unique business needs.